Two Steps to CCPA Compliance

by | Jul 16, 2018

California Consumer Privacy Act (CCPA) Legal Background

You’ve been hearing about the CCPA since 2018.   And you likely know that it goes into effect on January 1 and its been estimated that 500,000 businesses inside and outside of California are in the crosshairs of the law.   You’ve heard over and over about why you should be concerned because of the potential cost of violations initiated by the CA Attorney General ($2500 – $7500 per consumer violation) and that California consumers have a private right of action that can cost your business $100-$700 per consumer for data breaches.   Yes, there are still some regulations that still being ironed out by the California Attorney General that define violations.   But what you do or don’t do starting January 1 can still affect your business.

Operationalize CCPA with these 2 steps

What do you need to do, you ask?   There are two types of actions that your business needs to take to comply with the law.

  1. Security – You need to “implement and maintain reasonable security procedures and practices to protect the personal information” of California consumers
  2. Consumer Requests (Data Subject Access Requests or DSARs) – Your business needs to act on consumer requests using procedures that comply with the regulations defined by the CA Attorney General regarding:
    • Their right to know the categories and actual personal information you maintain
    • Their right to to have their personal information deleted
    • Their right to opt-out of sale of their personal information

Details about the 2 steps to Operationalize

Ok, I know you had your hopes up that because there were only two things to do, they must be simple.   Unfortunately, they aren’t for many organizations.   For the first time you may find that your business needs to implement data security protections beyond what you have done previously because you now have a new compliance requirement.   Simply having firewalls, anti-malware, user training on how to recognize phishing and good backups of data isn’t enough to be considered reasonable.   The next article will discuss “reasonable security procedures and practices”.

The second requirement for operationalizing CCPA compliance is to enable the business to respond to consumer requests.   This requires 2 top-level activities:

  • Locating (Data Mapping) all the CA consumer PI stored by applications and individuals in databases and files with the categories of sources and how your business uses or transfers the PI
  • Implementing workflow and record keeping of consumer requests for Right to Know, Right to Delete, and Right to Opt-out of sale of their PI and details of the responses to these requests

Smaller businesses may be able to map and maintain the mapping of PI data manually.   Larger organizations may find that it is less expensive to use tools to automate the mapping and maintenance of the mapping over time.   Some tools can even help with discovery of attempts to exfiltrate PI with or without (data breach) a business purpose.

Likewise, smaller organizations can use a simple automated human workflow to capture requests and store the responses for the required 2 years.   Larger organizations may find significant cost savings by automating the activities of doing lookups of PI and their categories and automating the consumer verification process, the decision process, the delivery of results to the consumer and the record keeping.

Send me an email or LinkedIn message if you’d like some deeper discussion on operationalizing CCPA. ([email protected])

#CCPA #Infosec #cybersecurity #privacy #GDPR